Support the commanders

Mar 16, 2003

The government has been criticized for mismanaging just about every aspect of its business. But one near the top, if not at the top, of the list of government trouble spots has to be information security.

So it should be no surprise that the Defense Department, one of the more challenged agencies in securing its information systems, proposed a rather bold plan to lock them down. DOD directive 8500.2 makes commanders responsible for the security of the information systems under their authority.

For commanders, who may lack much information technology experience, the added responsibility could be unsettling, especially because many DOD information systems are vulnerable. A House subcommittee late last year gave the department an F for its information security management. DOD could take solace in the fact that 13 of the 23 other agencies the subcommittee graded also received an F.

The new policy could be viewed as a way to shift the accountability for, and therefore the criticism of, information security out of the Pentagon. In the future, commanders will have to answer for poor security.

However, the new directive places the responsibility for security closer to the source — with the person in charge.

But the key to making the directive work is giving DOD personnel the skills needed to secure the systems. The directive calls for DOD to provide employees with the proper security training and education. The risk here is that, as in many other training efforts, the actual education will not be properly managed, given a high enough priority or fully funded. That would be a tragic mistake, especially if commanders are held accountable for the Pentagon's mistakes.

As the policy states, DOD "has a crucial responsibility to protect and defend its information and supporting information technology." If that is accurate, DOD also has a crucial responsibility to support its commanders and IT professionals by giving them the best training and education so they can do the best job. n